Ethernet Switching
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
kcray
Visitor
kcray
Posts: 8
Registered: ‎12-22-2011
0

Firewall filtering want to make sure i understand this

Options

‎08-29-2012 04:29 AM

I am teaching myself firewall filtering on a couple of ex switches and wanted to verify my understanding of how the filter would procces the 2 terms below that are part of one filter.

 

term  term-one {

          From {

                     source-mac-address { 00:00:01:e1:de:00:be/48;

                      {

                    source-address  {192.168.1.18/32;

                      }

                    }

            then {

                       discard;

                        syslog;

                     }

                      }  

term term-two {

                          then {

                                     accept;

                             }

                          }

 

if source-address and source-mac-address match in term-one then it will discard the packet and generate a syslog message.  and if it does not match in term-one , then the rest of traffic should match in term-two  and be accept.

 

Message 1 of 3 (211 Views)
 
Reply
Trusted Contributor
martinbrown2k
Posts: 95
Registered: ‎04-23-2011
0

Re: Firewall filtering want to make sure i understand this

Options

‎08-29-2012 07:19 AM

Yes, it would do as you said, however, why would you want to?  In the real world, the MAC address should be unique, so there would be no need to have both options present.

 

If you didn't apply the second term, then you would have an implicit deny as well, so putting the second term covers all other traffic, so well done.

 

I'm not sure if you have seen the fasttrack learning resources, however, in the

JNCIS-ENT Switching Study Guide, chapter 5 details firewall filters on EX switches and where you can apply them.  You can access them here:  https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx.  They are located under the JNCIS section.

Martin Brown
Juniper Ambassador
Network Engineer
JNCIA-Junos, JNCIS-ENT
CCNA, CCNP, CCNP Security, CCDA
HE IPv6 Sage, IPv6 Forum Gold Engineer
MCSE
Message 2 of 3 (200 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
erdems
Posts: 191
Registered: ‎12-30-2008
0

Re: Firewall filtering want to make sure i understand this

Options

‎08-29-2012 02:10 PM

 

Hey there,

 

 Reading this filter, I would assume there is a constraint between the mac (physical device) and IP address, potentially some redundancy/backup_mode enforcing; hence including both as a from statement.

 

 Cheers,

____________________________________________
If you think your question's answered, please
mark the respective post as "Accepted Solution".

Kudos are an excellent way of showing appreciation, too.
Message 3 of 3 (188 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.